b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                        Affordable Care Act \xe2\x80\x93 The Income\n                       and Family Size Verification Project:\n                         Improvements Could Strengthen\n                          the Internal Revenue Service\xe2\x80\x99s\n                       New Systems Development Process\n\n\n\n                                          March 29, 2013\n\n                              Reference Number: 2013-23-034\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.treasury.gov/tigta\n\x0c                                                 HIGHLIGHTS\n\n\nAFFORDABLE CARE ACT \xe2\x80\x93                                WHAT TIGTA FOUND\nTHE INCOME AND FAMILY SIZE\n                                                     By the end of August 2012, the IFSV Project had\nVERIFICATION PROJECT:                                completed all six systems development\nIMPROVEMENTS COULD STRENGTHEN                        components, each delivering a piece of\nTHE INTERNAL REVENUE SERVICE\xe2\x80\x99S                       approved functionality. While cost data specific\nNEW SYSTEMS DEVELOPMENT                              to the IFSV Project were not readily available\nPROCESS                                              during this audit, the IRS is generally managing\n                                                     systems development risk areas with the\n\nHighlights                                           implementation of the new Iterative Path within\n                                                     the Enterprise Life Cycle. However, process\n                                                     improvements are needed to better ensure that\nFinal Report issued on March 29, 2013                (1) the IFSV Project team adheres to\n                                                     configuration management guidelines when\nHighlights of Reference Number: 2013-23-034          baselined requirements are changed and (2) the\nto the Internal Revenue Service Chief                ACA Program Configuration Control Board\nTechnology Officer.                                  emergency meeting processes are effectively\n                                                     communicated. Further, an integrated suite of\nIMPACT ON TAXPAYERS\n                                                     automated tools could improve requirements\nIn March 2010, the President signed into law the     management and testing for the IFSV Project.\nPatient Protection and Affordable Care Act\n(ACA) to provide more Americans with access to       WHAT TIGTA RECOMMENDED\naffordable health care by January 1, 2014. The       TIGTA made three recommendations to the\nIncome and Family Size Verification (IFSV)           Chief Technology Officer. In management\xe2\x80\x99s\nProject is a core project of the ACA Program         response to the report, the IRS agreed with our\nand will support open enrollment beginning in        first two recommendations and plans to\nOctober 2013. The IFSV Project is important to       implement corrective actions for both.\nthe functionality and success of the ACA\nProgram because it is responsible for                However, the IRS disagreed with our third\ndeveloping a solution that will verify income and    recommendation to implement a standard suite\nfamily size, based on tax return data, for           of integrated, automated tools for the ACA\ndetermining an individual\xe2\x80\x99s eligibility for the      Program and ACA projects to manage sprint\nadvanced premium tax credit for health               processes, develop and manage requirements,\ninsurance.                                           develop and manage test cases, and\n                                                     bidirectionally trace requirements and test\nWHY TIGTA DID THE AUDIT                              cases. Notwithstanding the IRS\xe2\x80\x99s response,\n                                                     TIGTA believes that an action plan to address\nThis audit was initiated to determine whether the\n                                                     this recommendation would permit the IRS to\nIRS adequately managed systems development\n                                                     better ensure long-term success for the IFSV\nrisk for the IFSV Project. Specifically, TIGTA\n                                                     Project along with the many other information\nevaluated whether the IFSV Project adequately\n                                                     technology components and systems supporting\nmanaged project management risk related to the\n                                                     new functionality and transactions required to\nnew Iterative Path of the Enterprise Life Cycle\n                                                     address its mission-critical capabilities under the\nand whether the IFSV Project developed a\n                                                     ACA.\nsecurity plan to protect taxpayer data. To\naccomplish these objectives, TIGTA reviewed          Lastly, the IRS disagreed with the statement in\nhigh-risk areas related to the IRS applying the      the report that cost data were not readily\nnew Iterative Path to the IFSV Project as its        available during the audit. TIGTA maintains that\nsystems development life cycle rather than a         cost information was not readily available\ntraditional sequential life cycle (e.g., Waterfall   because it took the IRS 28 business days to\nSystems Development Life Cycle Path). TIGTA          provide basic budget and cost data.\nalso considered information technology security\ndocumentation for the IFSV Project.\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           March 29, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Affordable Care Act \xe2\x80\x93 The Income and\n                             Family Size Verification Project: Improvements Could Strengthen\n                             the Internal Revenue Service\xe2\x80\x99s New Systems Development Process\n                             (Audit 201220312)\n\n This report presents the results of our review of how the Income and Family Size Verification\n Project managed the new Iterative Path as its systems development life cycle. The overall\n objective of this review was to determine whether the Internal Revenue Service (IRS) is\n adequately managing systems development risk for the Income and Family Size Verification\n Project under the Affordable Care Act Program. This audit was included in the Treasury\n Inspector General for Tax Administration Fiscal Year 2012 Annual Audit Plan and addresses the\n major management challenge of Implementing Major Tax Law Changes.\n We request that the IRS Acting Commissioner submit, within 30 calendar days of the final report\n issuance date, a written reply regarding the disagreed recommendation to the Assistant Secretary\n for Management and Chief Financial Officer of the Department of the Treasury, with a copy to\n the Treasury Inspector General for Tax Administration.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V in the attached\n PowerPoint presentation.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me or Alan Duncan, Assistant Inspector General for Audit\n (Security and Information Technology Services), if you have questions.\n\n Attachment\n\x0c              TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n         Affordable Care Act \xe2\x80\x93 The Income and Family\n        Size Verification Project: Improvements Could\n          Strengthen the Internal Revenue Service\xe2\x80\x99s\n              New Systems Development Process\n\n                                                          March 29, 2013\n                                       Reference Number: 2013-23-034\n           This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information\n                      determined to be restricted from public release has been redacted from this document.\n\n\n\n\nPhone Number | 202-622-6500\nE-mail Address | TIGTACommunications@tigta.treas.gov\nWebsite        | http://www.treasury.gov/tigta\n\x0c                         Table of Contents\nBackground\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                              5\nAudit Objective\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                         10\nResults of Review\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                          11\n  The IFSV Project Is Generally Managing Systems Development Risk Areas\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6....      12\n  The IFSV Project Did Not Always Adhere to Configuration Management Guidelines..   14\n       Recommendation 1:\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6...                               16\n  Communication of Configuration Management Processes Would Improve\n  Implementation of the Iterative Path\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                        17\n       Recommendation 2:\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                  19\n  An Integrated Suite of Tools Could Improve Requirements Management for the\n  IFSV Project\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                        20\n       Recommendation 3:\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                               21\nAppendices\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                                             24\n  Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...              24\n  Appendix II \xe2\x80\x93 Major Contributors to This Report\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                  27\n\x0cAppendix III \xe2\x80\x93 Report Distribution List\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...        28\nAppendix IV \xe2\x80\x93 Glossary of Terms\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                29\nAppendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6   33\n\x0c                  Abbreviations\nAbbreviation                              Description\n    ACA        Affordable Care Act\n    CCB        Configuration Control Board\n    ELC        Enterprise Life Cycle\n   IFSV        Income and Family Size Verification\n    IRS        Internal Revenue Service\n   PMO         Program Management Office\n   TIGTA       Treasury Inspector General for Tax Administration\n\x0c                                          Background\n\xef\x81\xb1   In March 2010, the President signed into law the Patient Protection and\n    Affordable Care Act (ACA)1 to provide more Americans with access to\n    affordable health care by January 1, 2014.\n\xef\x81\xb1   Much of the ACA is funded by changes to the tax law. As the Federal\n    agency that administers the tax laws, the Internal Revenue Service (IRS)\n    will administer the tax provisions included in the ACA legislation.\n\xef\x81\xb1   The IRS ACA Information Technology Program Management Office\n    segmented implementation of the ACA into various releases.\n\xef\x81\xb1   Figure 1 provides a brief description of the ACA releases.\n\n\n\n\n_________________________\n\n1 Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered sections of the U.S. Code), as\namended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.\n                                                                                                               5\n\x0c                       Figure 1: Description of ACA Releases\n\nACA\nRelease       Go Live Date          Description\nACA 1.0       In Production         Includes the functionality of several ACA provisions, e.g., the\n              January 2011          Small Business Healthcare Tax Credit and the Charitable\n                                    Hospital Reporting provisions.\nACA 2.0       In Production         Includes functionality to support the Branded Prescription Drug\n              July 2011             provision of the ACA.\nACA 3.0       October 2013          Includes the functionality of the following ACA process areas:\n                                    Eligibility and Enrollment, Customer Service, Reporting, and\n                                    Non-Exchange.\nACA           January\xe2\x80\x93October       This release will build on the transactional and bulk data\n4.0/4.1       2014                  processes established in ACA 3.0, will expand the breadth of\n                                    data stored in the data repository, and will enhance reporting\n                                    capabilities.\nACA 5.0       June 2015             Includes the functionality of at-filing compliance.\nACA 6.0       December 2015         Includes the functionality of post-filing compliance.\n\nSources: Affordable Care Act Program Baseline Requirements, Solution Architecture and IT Roadmap,\nVersion 2.2; Affordable Care Act Program Management Office Program Management and Integration Plan,\nVersion 1.0; and the Implementing Tax Law Changes From the Affordable Care Act in the IRS Information\nTechnology Briefing dated August 27, 2012.                                                              6\n\x0c\xef\x81\xb1   ACA 3.0 is focusing on the Eligibility and Enrollment process area. As\n    part of ACA 3.0, the Income and Family Size Verification (IFSV) Project\n    will support open enrollment and is one of six core ACA Program projects\n    being implemented in October 2013.\n\xef\x81\xb1   Based on tax return data, the IFSV Project will verify income and family\n    size for individuals requesting eligibility for an advanced premium tax\n    credit for health insurance.\n\xef\x81\xb1   Due to ongoing interpretation of provisions established by the ACA\n    legislation, the IRS decided to apply the new Iterative Path to the IFSV\n    Project as its Systems Development Life Cycle, rather than a traditional\n    sequential life cycle (e.g., Waterfall Systems Development Life Cycle\n    Path).\n\n\n\n\n                                                                               7\n\x0c\xef\x81\xb1   The new Iterative Path of the Enterprise Life Cycle (ELC) is considered\n    an agile2 approach to systems development and is suited for projects that\n    change quickly and have requirements that are undefined. The Iterative\n    Path facilitates development of the defined requirements while other\n    requirements are being established.\n\xef\x81\xb1   Under the new Iterative Path, a process known as \xe2\x80\x9csprints\xe2\x80\x9d develops a piece\n    of functionality of the system with repeated cycles of requirements\n    discovery, planning, design, development, and testing.\n\n\n\n\n_________________________\n\n2 The IRS applies the term \xe2\x80\x9cagile\xe2\x80\x9d to represent a type of software development methodology based on iterative\nand incremental methods that promotes teamwork, collaboration, and process adaptability throughout the life-\ncycle of the project.                                                                                         8\n\x0c\xef\x81\xb1   Benefits expected by the ACA Program Management Office (PMO) with\n    the implementation of the Iterative Path include:\n     \xef\x81\xb1   Increased collaboration between stakeholders and the information\n         technology development team.\n     \xef\x81\xb1   Incremental functionality and shorter time periods through sprints.\n     \xef\x81\xb1   Better alignment between the product and stakeholders\xe2\x80\x99 requests.\n\xef\x81\xb1   The IFSV Project is being developed primarily by IRS employees within\n    the ACA PMO.\n\xef\x81\xb1   Cost data specific to the IFSV Project were not readily available during\n    our audit.\n\n\n\n\n                                                                               9\n\x0c                           Audit Objective\n\xef\x81\xb1   Determine whether the IRS is adequately managing systems development\n    risk for the IFSV Project under the ACA Program.\n     \xef\x81\xb1   Evaluate whether the IFSV Project is adequately managing project\n         management risk related to the new Iterative Path of the ELC.\n     \xef\x81\xb1   Determine whether the IFSV Project has developed a security plan to\n         protect taxpayer data and whether Federal requirements have been\n         considered.\n\n\n\n\n                                                                               10\n\x0c                       Results of Review\n\xef\x81\xb1   The IFSV Project Is Generally Managing Systems Development Risk Areas\n    (see slides 12 through 13).\n\xef\x81\xb1   The IFSV Project Did Not Always Adhere to Configuration Management\n    Guidelines (see slides 14 through 16).\n\xef\x81\xb1   Communication of Configuration Management Processes Would Improve\n    Implementation of the Iterative Path (see slides 17 through 19).\n\xef\x81\xb1   An Integrated Suite of Tools Could Improve Requirements Management\n    for the IFSV Project (see slides 20 through 23).\n\n\n\n\n                                                                         11\n\x0c              The IFSV Project Is Generally Managing\n                Systems Development Risk Areas\n\n\xef\x81\xb1   The IFSV Project is generally managing risk areas when using the new\n    Iterative Path of the ELC. Specifically, in the areas of:\n     \xef\x81\xb1   Stakeholder involvement \xe2\x80\x93 Stakeholders are committed to the new\n         Iterative Path process, embedded in the IFSV Project team, and involved on\n         a continuous basis by providing feedback to the project team.\n     \xef\x81\xb1   Project planning activities \xe2\x80\x93 The IFSV Project conducted sprint planning\n         activities to identify and prioritize requirements to be coded\n         and tested and received stakeholder agreement on tasks to be completed\n         during a sprint.\n     \xef\x81\xb1   Sprint systems development and testing activities \xe2\x80\x93 Controls are in place\n         to ensure that requirements are coded and tested during a sprint and that\n         stakeholders approve sprint results prior to starting the next sprint.\n     \xef\x81\xb1   Iterative Path lessons learned \xe2\x80\x93 The IFSV Project incorporated lessons\n         learned from a prior ACA project that piloted the new Iterative Path\n         methodology.\n\n\n\n                                                                                      12\n\x0c\xef\x81\xb1   A security plan intended to protect taxpayer data was developed that\n    incorporated Federal Information Security Management Act and National\n    Institute of Standards and Technology guidelines.\n\xef\x81\xb1   The IRS informed us that governance models, including Control Objectives\n    for Information Technology, were considered and evaluated to complement\n    the IRS\xe2\x80\x99s ELC to provide a control framework for the design and\n    development of all IRS information technology projects. We performed a\n    limited assessment of the overall ELC control framework for the IFSV\n    Project.\n\xef\x81\xb1   By the end of August 2012, the IFSV Project had completed all six scheduled\n    sprints, each developing a piece of approved functionality including receiving\n    and validating requests for household income verification and family size,\n    locating tax records based on information in the requests, and calculating\n    individual and household modified adjusted gross income.\n\xef\x81\xb1   The IRS is currently conducting project integration testing of ACA 3.0,\n    which includes the IFSV Project.\n\n                                                                                 13\n\x0c                 The IFSV Project Did Not Always Adhere\n                 to Configuration Management Guidelines\n\n\xef\x81\xb1   The ACA Program Configuration Management Plan requires that a change\n    request and impact assessment be prepared and approved to change\n    baselined requirements.\n                                          3\n\xef\x81\xb1   We judgmentally sampled and reviewed six of 19 total IFSV Project\n    change requests as of July 5, 2012. We selected these six because they\n    were designated by the IRS as critical.\n\xef\x81\xb1   We determined these six critical change requests were processed in\n    accordance with the configuration management guidelines.\n\xef\x81\xb1   We also judgmentally sampled and reviewed six of 61 baselined\n    requirements to determine whether possible changes to the requirements\n    adhered to configuration management guidelines. We selected six\n    baselined requirements, which are each important to the basic functionality\n    of the IFSV Project. A change request and impact assessment should be\n    prepared for every changed requirement.\n_________________________\n\n3 A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the\npopulation.                                                                                               14\n\x0c\xef\x81\xb1   Four of the six baselined requirements that we sampled were changed. Our\n    review determined that the IFSV Project team did not adequately prepare a\n                   4\n    change request and an impact assessment for one of these four requirements.\n\xef\x81\xb1   Specifically, the change request and impact assessment did not include the\n    requirement or address the potential impact of the change on other ACA\n    requirements.\n\xef\x81\xb1   If configuration management guidelines are not properly followed, IRS\n    management may not be able to determine the potential impact of changed\n    requirements on IFSV Project requirements, other ACA projects, and system\n    functionality. As a result, all functionality may not be properly developed,\n    which could negatively impact ACA Program deployment.\n\xef\x81\xb1   Management Action: Once we advised the IFSV Project Manager of this\n    finding, a change request and impact assessment were prepared and approved\n    during our audit fieldwork.\n\n_________________________\n4 This change request for a baselined requirement is intended to ensure that if any Social Security\nAdministration Name Control in the Health and Human Services\xe2\x80\x99 request does not match the Name Control in\nthe National Account Profile record by Taxpayer Identification Number, the IFSV shall not provide tax record 15\ninformation for any applicant listed on the request.\n\x0c                             Recommendation\n\n\xef\x81\xb1   Recommendation 1: The Chief Technology Officer should complete a\n    broader review to evaluate the effectiveness of existing controls to ensure\n    that change requests and impact assessments are adequately developed and\n    processed as required by the ACA Program Configuration Management\n    guidelines.\n    \xef\x81\xb1   Management\xe2\x80\x99s Response: The IRS agreed with this\n        recommendation. The IRS plans to conduct a review across the ACA\n        PMO to evaluate the effectiveness of existing controls for change\n        requests and impact assessments.\n\n\n\n\n                                                                                  16\n\x0c                   Communication of Configuration\n                 Management Processes Would Improve\n                  Implementation of the Iterative Path\n\xef\x81\xb1   The ACA Program Configuration Management Plan outlines change\n    management processes for the ACA Program and projects.\n\xef\x81\xb1   The IFSV Project uses this plan as the primary guidance for change\n    management. Guidance states that proposed changes to baselined\n    requirements are submitted via change requests.\n\xef\x81\xb1   The ACA PMO informed us that emergency Program Configuration\n    Control Board (CCB) meetings have been convened, when needed, to\n    review and approve proposed change requests.\n\xef\x81\xb1   The ACA Program CCB Charter states that the Program CCB may meet\n    monthly or convene emergency meetings to review and approve proposed\n    change requests. However, the IFSV Project team expressed concern over\n                                                                       5\n    the Program CCB\xe2\x80\x99s untimely response to an important change request\n    during our review.\n_________________________\n\n5 This change request recommended that IFSV directly interface with the ACA Coverage Data Repository.\n                                                                                                        17\n\x0c\xef\x81\xb1   Further, the ACA Program Configuration Management Plan does not\n    include procedures for a project to request an emergency Program CCB\n    meeting prior to the next scheduled monthly meeting when a timely\n    response is needed to address a change request.\n\xef\x81\xb1   An emergency Program CCB meeting may be necessary to align with\n    IFSV Project sprints that typically last only four to six weeks. Untimely\n    responses to change requests by the Program CCB could result in IFSV\n    Project delays and negatively impact ACA Program deployment.\n\n\n\n\n                                                                                18\n\x0c                            Recommendation\n\n\xef\x81\xb1   Recommendation 2: The Chief Technology Officer should ensure that\n    the ACA Program Configuration Management Plan is updated to include\n    procedures to request and convene emergency ACA Program CCB\n    meetings when timely program-level responses are needed.\n    \xef\x81\xb1   Management\xe2\x80\x99s Response: The IRS agreed with this\n        recommendation. The IRS plans to update the ACA Program\n        Configuration Management Plan documentation, providing clear\n        direction for convening emergency Program CCB meetings when\n        needed.\n\n\n\n\n                                                                          19\n\x0c          An Integrated Suite of Tools Could Improve\n        Requirements Management for the IFSV Project\n\n\xef\x81\xb1   The Rational RequisitePro tool is the IRS Enterprise Architecture standard\n    for requirements management. The IFSV Project team uses the Rational\n    RequisitePro tool to manage their requirements. Requirements are\n    manually imported into the IFSV sprint management tool, Rational Team\n    Concert.\n\xef\x81\xb1   However, Rational RequisitePro and Rational Team Concert are not\n    integrated to automatically update changes to requirements in both tools.\n    Therefore, the IFSV Project team must manually input changes in both\n    tools to ensure that requirements are accurately updated. To ensure timely\n    and consistent requirements management, this process should be integrated\n    and automated.\n\xef\x81\xb1   The IRS\xe2\x80\x99s current manual process heightens the risk that requirements may\n    not be timely and accurately reflected in both tools. As a result, the project\n    could be developed based on inaccurate requirements, which could\n    negatively impact ACA systems functionality.\n\n\n                                                                                 20\n\x0c                                      Recommendation\n\n\xef\x81\xb1   Recommendation 3: The Chief Technology Officer should ensure that\n    a standard suite of integrated, automated tools is implemented for the ACA\n    Program and ACA projects to manage sprint processes, develop and\n    manage requirements, develop and manage test cases, and bidirectionally\n    trace requirements and test cases.\n    \xef\x81\xb1   Management\xe2\x80\x99s Response: The IRS disagreed with this\n        recommendation. 6 The Chief Technology Officer stated in his written\n        response to the draft report that this recommendation \xe2\x80\x9cdoes not offer\n        flexibility for projects that are not good candidates for automated tools.\xe2\x80\x9d\n        Further, the Chief Technology Officer commented that \xe2\x80\x9cautomated tools\n        are not always necessary to maintain control over requirements, test\n        cases management, and traceability, so we do not agree with TIGTA\n        [Treasury Inspector General for Tax Administration] prescribing their\n        use.\xe2\x80\x9d\n_________________________\n\n6 We made a similar recommendation in a previous report (TIGTA, Ref. No. 2012-20-122, Customer\nAccount Data Engine 2 (CADE 2): System Requirements and Testing Processes Need Improvements\n(Sept. 2012)). The IRS also disagreed with this recommendation at that time.\n                                                                                                 21\n\x0c\xef\x81\xb1   Office of Audit Comment: The IRS disagreed with this\n    recommendation and consequently the Chief Technology Officer does\n    not plan to take corrective actions. We discussed this finding and\n    recommendation with IFSV Project officials during the audit closing\n    conference. At that time, we explained that this recommendation is\n    specific to the ACA Program and ACA projects, and that the\n    recommendation is not directed generally toward other IRS programs\n    and projects.\n    The IRS recognized that the current manual requirements management\n    process heightens the risk that information technology requirements\n    may not be timely and accurately reflected across the separate\n    management tools. This audit concluded that a standard suite of\n    automated tools could help the IRS to mitigate this risk. In addition,\n    best practices suggest the current manual processes should be integrated\n    and automated to efficiently manage sprint processes, develop and\n    manage requirements, develop and manage test cases, and\n    bidirectionally trace requirements and test cases.\n                                                                           22\n\x0cOur audit also considered that there are multiple projects under the ACA\nProgram, which is managing volumes of information technology\nrequirements in a highly dynamic environment. Consequently, TIGTA\nmaintains that this recommendation requires an action plan to develop and\nimplement a suite of integrated, automated tools to support all phases of the\nACA Program and ACA projects. Such an action plan would permit the\nIRS to better ensure long-term success for the IFSV Project along with the\nmany other information technology components and systems supporting\nnew functionality and transactions required by the IRS to address mission-\ncritical capabilities under the ACA.\nThe IRS also disagreed with the statement in the report that cost data were\nnot readily available during the audit. We agree that cost information was\nrequested after the audit closing. We requested information on the IFSV\nProject\xe2\x80\x99s budget and actual cost data that could be provided quickly and\neasily. However, it took the IRS 28 business days to provide basic budget\nand cost data for the IFSV Project. TIGTA maintains that cost data\nspecific to the IFSV Project were not readily available during our audit, due\nto the length of time it took the IRS to provide basic budget and cost data.\n                                                                            23\n\x0c                                                                               Appendix I\n            Detailed Objective, Scope, and Methodology\n\xef\x81\xb1   Overall Objective: Determined whether the IRS is adequately managing systems\n    development risk for the IFSV Project under the ACA Program. Specifically, we:\n\xef\x81\xb1   Evaluated whether the IFSV Project is managing project management risk related to\n    the new Iterative Path of the ELC. Focus areas included:\n     \xef\x81\xb1   Culture change.\n     \xef\x81\xb1   Stakeholder involvement.\n     \xef\x81\xb1   IFSV Project planning activities.\n     \xef\x81\xb1   IFSV Project sprint systems development and testing activities.\n     \xef\x81\xb1   Control framework applied with the IFSV Project.\n     \xef\x81\xb1   IFSV Project requirements and change management \xe2\x80\x93 we judgmentally\n         sampled and reviewed six of 19 total IFSV Project change requests. We\n         selected these six because they were designated as critical. Also, we\n         judgmentally sampled six of 61 baselined requirements, which are each\n         important to the basic functionality of the IFSV Project. Both samples were\n         selected to determine whether the configuration management guidelines were\n         followed.\n\n\n                                                                                       24\n\x0c                                                                                  Appendix I\n\n\n\n\n\xef\x81\xb1   Determined whether the IFSV Project developed and documented a security plan to\n    protect taxpayer data and whether Federal Information Security Management Act\n    and National Institute of Standards and Technology guidelines were considered.\n\xef\x81\xb1   For conditions identified, obtained documentation and interviewed personnel to\n    support and determine the cause.\n\xef\x81\xb1   This review was performed at the Information Technology organization (formerly\n    known as the Modernization and Information Technology Services organization) in\n    Farmers Branch, Texas, in the ACA PMO from June through August 2012.\n\xef\x81\xb1   We conducted this performance audit in accordance with generally accepted\n    government auditing standards, which require that we plan and perform the audit to\n    obtain sufficient, appropriate evidence to provide a reasonable basis for our findings\n    and conclusions based on our audit objective. We believe that the evidence\n    obtained provides a reasonable basis for our findings and conclusions based on our\n    audit objective.\n\n\n\n\n                                                                                        25\n\x0c                                                                                  Appendix I\n\n\n\n\nInternal Controls Methodology\n\xef\x81\xb1   Internal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to\n    meet their mission, goals, and objectives. Internal controls include the processes\n    and procedures for planning, organizing, directing, and controlling program\n    operations. They include the systems for measuring, reporting, and monitoring\n    program performance.\n\xef\x81\xb1   We determined the following internal controls were relevant to our audit objective:\n    1) the Internal Revenue Manual and related IRS guidelines and 2) the processes\n    followed in the development of information technology projects using the Iterative\n    Path.\n\xef\x81\xb1   We evaluated these controls by conducting interviews with management and staff;\n    making on-site observations of sprint planning, system development, and testing\n    activities; and reviewing documentation.\n\xef\x81\xb1   Documents reviewed include the IFSV Project Management Plan, the Iterative\n    Development and Testing Process Description, and other documents that provided\n    evidence of whether the IRS is adequately managing systems development risk for\n    the IFSV Project.\n                                                                                          26\n\x0c                                                                              Appendix II\n                   Major Contributors to This Report\n\n\xef\x81\xb1   Alan R. Duncan, Assistant Inspector General for Audit (Security and Information\n    Technology Services)\n\xef\x81\xb1   Gwendolyn McGowan, Director\n\xef\x81\xb1   Suzanne Westcott, Audit Manager\n\xef\x81\xb1   David F. Allen, Lead Auditor\n\xef\x81\xb1   Wallace Sims, Senior Auditor\n\xef\x81\xb1   Linda Nethery, Information Technology Specialist\n\n\n\n\n                                                                                      27\n\x0c                                                                                    Appendix III\n                             Report Distribution List\n\xef\x81\xb1   Acting Commissioner C\n\xef\x81\xb1   Office of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\n\xef\x81\xb1   Deputy Commissioner for Operations Support OS\n\xef\x81\xb1   Deputy Commissioner for Services and Enforcement SE\n\xef\x81\xb1   Deputy Chief Information Officer for Operations OS:CTO\n\xef\x81\xb1   Acting Director, Affordable Care Act Office SE:ACA\n\xef\x81\xb1   Director, Privacy, Governmental Liaison and Disclosure OS:P\n\xef\x81\xb1   Associate Chief Information Officer, Affordable Care Act \xe2\x80\x93 Program Management Office\n    OS:CTO:ACA\n\xef\x81\xb1   Chief Counsel CC\n\xef\x81\xb1   National Taxpayer Advocate TA\n\xef\x81\xb1   Director, Office of Legislative Affairs CL:LA\n\xef\x81\xb1   Director, Office of Program Evaluation and Risk Analysis RAS:O\n\xef\x81\xb1   Office of Internal Control OS:CFO:CPIC:IC\n\xef\x81\xb1   Audit Liaisons:\n     \xef\x81\xb1   Deputy Commissioner for Services and Enforcement SE\n     \xef\x81\xb1   Director, Risk Management Division OS:CTO:SP:RM\n\n                                                                                           28\n\x0c                                                                                                       Appendix IV\n                                       Glossary of Terms\n\nTerm                                                            Definition\nChange Management        The transition of a changed or new product through development to deployment into\n                         the current production environment with minimum disruption to users. This can occur\n                         in a number of ways including, but not limited to: (1) implementation of a change to a\n                         product baseline, (2) establishing a new product baseline, and/or (3) a change to a\n                         Service Level Agreement.\n\nChange Request           The method for requesting approval to change a baselined product or other controlled\n                         item.\nConfiguration Control    Serves as the change approval authority for baselined products.\nBoard (CCB)\nConfiguration Control    The ACA Program CCB Charter establishes the ACA Program CCB and defines its\nBoard Charter            authority, threshold, responsibilities, and membership.\nConfiguration            Establishes proper control over approved project documentation, hardware, and\nManagement               software and assures changes are authorized, controlled, and tracked.\nConfiguration            Documents the configuration management processes that the ACA PMO will use to\nManagement Plan          maintain the integrity of configuration items, associated artifacts, and other products\n                         throughout the product life cycle as they relate to the technical baseline.\nControl Objectives for   An information technology governance framework and supporting toolset that allows\nInformation              managers to bridge the gap between control requirements, technical issues, and\nTechnology (COBIT)       business risks. It enables clear policy development and a good practice for information\n                         technology control throughout organizations.\n                                                                                                                   29\n\x0c                                                                                                Appendix IV\n                                    Glossary of Terms\n\nTerm                                                        Definition\nEligibility and         This is one of four ACA process areas to be delivered under ACA Release 3.0. It\nEnrollment Process      will provide verification of income and family size and determination of\nArea                    advanced premium tax credit.\nEnterprise Life Cycle   The IRS\xe2\x80\x99s software development life cycle for information technology projects.\n                        It provides the critical framework/foundation for IRS information technology\n                        projects. The Enterprise Life Cycle facilitates project success through critical\n                        step-by-step discipline and structure.\nFederal Information     A statute that requires agencies to assess risks to information systems and\nSecurity Management     provide information security protections commensurate with the risks. The\nAct                     Federal Information Security Management Act also requires that agencies\n                        integrate information security into their capital planning and enterprise\n                        architecture processes, conduct annual information systems security reviews of\n                        all programs and systems, and report the results of those reviews to the Office of\n                        Management and Budget. (Title III, P.L. 107-347.)\nFramework               A structure that facilitates the understanding of a complex topic by breaking the\n                        topic into multiple pieces or features, classifying the features, illustrating\n                        relationships between the features, and organizing them in a manner that\n                        facilitates visualization and practical usage.\nImpact Assessment       An evaluation of a change request to determine its impact on a project\xe2\x80\x99s\n                        schedule, cost, other dependent projects, and upstream and downstream systems.\n                                                                                                        30\n\x0c                                                                                               Appendix IV\n                                    Glossary of Terms\n\nTerm                                                       Definition\nNational Institute of   A nonregulatory Federal agency within the Department of Commerce responsible\nStandards and           for developing standards and guidelines, including minimum requirements, for\nTechnology              providing adequate information security for all Federal Government agency\n                        operations and assets.\nRational RequisitePro   An application used for requirements management. The IRS has established\n                        Rational RequisitePro as its Enterprise Architecture standard for requirements\n                        management. It is used to capture detailed requirement data such as the\n                        requirement text and any supporting attributes to organize or clarify the\n                        requirement. The application also has the capability to create and maintain full\n                        requirements traceability within a single project or across multiple projects.\nRational Team           The tool the IFSV Project team uses to manage their sprint processes. Rational\nConcert                 Team Concert provides a lean collaborative life cycle management solution with\n                        agile and formal planning, project reporting, process workflow, work item\n                        management, source code management, and build management in a single\n                        integrated product.\nRequirement             A formalization of a need; it is the statement of a capability or condition that a\n                        system, subsystem, or system component must have or meet to satisfy a contract,\n                        standard, or specification.\n\n\n\n                                                                                                           31\n\x0c                                                                                                 Appendix IV\n                                    Glossary of Terms\n\nTerm                                                        Definition\nSprint                 ACA projects conduct a series of \xe2\x80\x9cSprints,\xe2\x80\x9d either sequentially or in parallel,\n                       within each release. The goal of each sprint is to get a subset of the project\xe2\x80\x99s\n                       functionality to a \xe2\x80\x9cproduction-ready\xe2\x80\x9d state. At the end of the sprint, the\n                       functionality developed will be fully tested (although it will not be put into\n                       production until a later date). The duration of each sprint is typically four to\n                       six weeks.\nSystems Development The scope of activities associated with a system, encompassing the system\xe2\x80\x99s\nLife Cycle          initiation, development and acquisition, implementation, operation and\n                    maintenance, and ultimately its disposal, which instigates another system\n                    initiation.\nWaterfall Path         The Waterfall Path is distinguished by sequential development of a solution with\n                       planned reviews and formal approvals required before continuation of work. The\n                       solution design evolves through a planned progression of successive levels from\n                       logical design to development, and then solution components are developed.\n\n\n\n\n                                                                                                          32\n\x0c                                                     Appendix V\n            Management\xe2\x80\x99s Response\n              to the Draft Report\n\n\n\n\nManagement\xe2\x80\x99s complete response to the draft report\n     is included beginning on the next page.\n\n\n\n\n                                                          33\n\x0cAppendix V\n\n\n\n\n     34\n\x0cAppendix V\n\n\n\n\n     35\n\x0cAppendix V\n\n\n\n\n     36\n\x0c'